In enterprise networks it may be determined whether users are directly connected to the switch via authentication mechanisms. Authentication mechanisms may include dot1× (such as IEEE 802.1X port-based authentication), MAC Authentication Bypass (MAB) protocol, or other web-based authentications on wired or wireless ports. DHCP servers may be provided to provide authenticated users with leased out IP addresses.
However, in such environments, a switch may only be acting as a DHCP server and/or relay. Accordingly the switch may not maintain any lease time related information. Such lease time related information may be needed for to detect threats to the network. This may become an issue when a number of network device start behaving wrongly. For example, a network device may start a renewing and rebinding IP addresses over and over again despite the existence of remaining DHCP lease time on an original IP address.